Some key embedded security technologies can be used both in the IoT endpoints and sensors, as well as in the IoT infrastructure to provide a defense in depth against tomorrow’s cyber threats. It is important that these measures be incorporated as the network is established and not as afterthoughts.
BY ROBERT DAY, LYNX SOFTWARE TECHNOLOGIES – October 2014
The Internet of Things (IoT) is driving toward ubiquitous connected embedded devices that can be potentially accessed from anywhere in the world. Wireless connectivity is also helping to fuel that drive by removing many of the traditional barriers (cost, complexity, physical installation) that were borne by physical network connectivity. Although wireless connectivity is helping accelerate our connected world, it is also helping to open our new IoT world to the increased likelihood of cyber-attacks, especially around our critical infrastructure. A defense in depth strategy must be employed as we put this IoT infrastructure in place, as traditional network and endpoint security is not adequately containing today’s cyber threats.
Before looking at the security challenges, it’s a good idea to review a typical IoT network topology, which will help explain where the potentially vulnerable parts of an IoT connected system lie. We will use an example topology that represents the industrial automation world, often called SCADA (supervisory, control and data acquisition), which will use a computer infrastructure around energy generation, including smart grid management and also oil and gas refineries and distribution systems. The relatively recent cyber-attacks on some foreign infrastructure, including the infamous Stuxnet virus that managed to infect and control an Iranian Nuclear facility, show just how vulnerable even the most secure, fortified and remote systems can be.
The embedded devices or “things” are typically linked to a physical item and have the primary function of communicating with that physical item. That communication might be read-only (i.e. monitoring) or read/write (monitor and control), and the data that is communicated can be read or initiated by either humans or machines (M2M). These physical systems can include smart meters and electricity control breakers for power control, or valves and flow meters for oil and gas. Either way, the quality and security of the data is paramount to the reliable function of the system. These embedded devices are networked (to receive or provide data), but are typically not linked directly to the Internet, as they are normally connected to a proprietary network that is usually local to the facility where the “things” are physically located. This could be an electricity substation, or a whole oil and gas plant, depending on the scale of the system. In the days before IoT, this was a relatively secure network, as access could only be obtained by being physically present at the site, and so could be contained using physical security measures (security guards, barbed wire, etc.). As the cost and convenience of wireless networking has spread to these local networks, the physical security measures may not be quite as effective, since hackers could reside outside of the physical site and still gain wireless access to the network. So effective protection is required on both the embedded devices and the local network, but this is still relatively low on the security risk spectrum, compared to where this data goes next (Figure 1).
Figure 1 An example Industrial IoT network topology.
For our ubiquitous IoT world, the data from these embedded devices now needs to be aggregated and fed to the people or machines that will use this data. This could include management and billing for the electric grid, and plant logistics, yield management, safety and control for oil and gas plants. Assuming that these consumers of the data are not physically located on site, this data will need to speed its way to another location, typically using the same Internet that everyone else in the world is connected to. Quite how much data leaves the site really depends on the application of the data, and also on how much local intelligence, aggregation and storage is available.
The connection to the Internet is generally achieved using a local gateway or router in much the same way that a local home router gives both Internet access and local Wi-Fi networking. These IoT gateways have to connect to all the local embedded devices (on their proprietary network) and then to the outside world using the Internet. Although they are often physically located on site, they are very open to the outside world through the Internet connection. This is a potential security nightmare, as anyone who gains access to the router, has the keys to the physical kingdom without having to be physically present. Depending on how much intelligence is in the router, a lot of data analysis and aggregation could be done here, even though its primary function is still connecting and communicating data between two networks.
After the router has decided what data needs to be sent on, the data is generally encrypted and sent to the next destination. This is often a large data storage facility, often housed in the Cloud, where data analytics can be used to provide meaningful information on the data, such as billing or usage data, maintenance data, or yield and performance information. Alternatively, the data is sent to some management and control systems where actions are taken either by humans or machines to control the embedded and physical devices at the site. So where are the vulnerabilities? They are typically not in the data in transit, as it is encrypted, but are often at the final destination of the data, when it is decrypted and hence vulnerable to either theft or compromise.
Looking again at this somewhat simplified IoT network, it is easy to see that there are some attack points that really need to have good security. The embedded device itself is vulnerable either to local wireless attacks, or potentially to attack by a compromised router. The router itself is a huge potential attack point, as it is connected to both the local network and the Internet, and without some secure separation between the two, this could be a very easy place for remote cyber-attacks. Finally, the Cloud storage or remote management systems are also potential attack points, with a much larger potential payoff as they hold all the data (from all the embedded devices at all the sites), and will often have control and override functions at both a site and/or device level, plus they are all connected to the attack-prone Internet.
Defense in Depth
So, a defense in depth strategy needs to implemented, to help protect all the vulnerable parts of the network from all types and methods of cyber-attack. Luckily, technology is available that if used when the network is being designed (rather than as an afterthought), could dramatically reduce the chance or effect of an attack. Much of this technology has evolved to meet the security needs of the Department of Defense (DoD), which has been operating secure remote networks for decades, and where a compromise in any part of the network could be fatal to national security and hence not an option.
Most of the world’s security functionality has been implemented as add-ons on top of existing infrastructure, or as patches to help seal security gaps in the infrastructure. As an example, think of protection that one needs for a regular desktop or laptop PC; antivirus software, firewalls, OS security patches, not to mention all the application security additions, and the vast amounts of network security appliances that surround the network infrastructure trying to thwart cyber-attacks, usually by looking for attacks that are similar to previous ones. In the IoT, rather like the DoD, one attack could be fatal, and therefore, preventative security needs to be built into all parts of the infrastructure.
Similar to the PC world, operating systems are often the key attack point as they are typically the highest privileged software in any given system, and if compromised offer keys to the control and data kingdoms. So there needs to be a better way to protect these operating systems than the traditional anti-virus or OS patch mechanisms that are normally used. Operating systems are used throughout all of the IoT infrastructure topology described above, and we need to look at security solutions for each of these parts separately. We will focus on securing the parts of the infrastructure that are typically considered embedded systems, the devices and the routers, as the Cloud and management systems have security issues that are generally serviced by IT security products and vendors.
First, the “things.” These things are connected embedded systems, often not using large operating systems, but using hard real-time OSs (RTOSs) that are helping to support the networking function and the data extraction or control function of the physical item they are connected to. These RTOSs have been traditionally more secure than desktop OSs, often because of their proprietary interfaces, but also due to the fact that they haven’t been as connected to the outside world as they are becoming with the IoT. So, adding wireless network connectivity makes these “things” a lot more vulnerable, and their proprietary interfaces will not stop a determined attacker who has gained entry via the wireless network. However, if an RTOS is used that has built-in security functionality, especially one that was designed to meet the exacting security needs of DoD tactical systems, then it could offer enough security protection to stop the most determined attacker.
Examples of operating systems with built-in security include Security Enhanced Linux (SELinux) and the LynxOS RTOS. Both of these operating systems introduce a number of key security concepts that help the OS protect against malicious attacks regardless of how they enter the system. These concepts can include discretionary access control for file system objects, fine-grained user access control using roles and capabilities, identification and authentication control of users, device and system quotas to help thwart DDoS attacks, trusted path mechanisms for guaranteed communication links, and residual information protection to stop attacks by reusing or viewing used memory (Figure 2). An RTOS with these built-in security features is the best protection for the embedded wireless device, as it still offers the real-time characteristics, supports the required network functionality, typically has a smaller footprint than a GPOS like Linux, and now offers advanced protection.
Figure 2 A secure RTOS used to secure the embedded system connected to the “things.”
Secondly, the router. This is a bit more challenging to protect as we are now dealing with a much more complex system that has to support multiple networks (including wireless), needs to connect securely to the untrusted Internet, and at the same time is passing and processing a large amount of data. Routers will often use an OS that is more complex than the traditional RTOS but still gives a security issue as it has a lot of software functionality and a large attack surface being controlled by a single privileged software entity. A secure OS as suggested for the embedded systems is a good step in the right direction, but due to the complexity, multiple networks, and its link to the Internet, this really needs to be stepped up a notch, and leads us more toward what is known as a multi-domain system.
In the DoD, secure OSs have been used for multi-domain systems linked to different networks at different levels of security classification, but the prevailing thoughts and technology for true domain separation call for something known as a separation kernel. This is at a higher level of privilege than the OS (i.e., it sits between the OS and the hardware), and its primary function (as the name suggests) is to separate the resources in the system, such that an attack in one domain cannot reach or compromise the other domain. In order to still offer the functionality required from an OS, the separation kernel also contains virtualization functionality that allows the “guest” OS (or OSs) to reside above it in separated secure virtual domains. This separation kernel approach gives some very interesting benefits when designing these highly intricate cornerstones of the IoT.
Firstly, security. The small separation kernel is the only software item at the highest privilege level, and if designed properly it will not contain untrusted elements such as device drivers or software stacks, as they can now reside in the lower privilege guest OSs. This substantially reduces the “attack surface” of the highest privileged software. Any attacks made on the guest operating systems will be contained in their own secure domain, without compromising the rest of the system, which essentially stops the attack from spreading and likely reaching its intended target. This is key to protecting the proprietary network and the “things,” as the most likely attack point is through the Internet, and that operating system is not connected directly to the proprietary network, so the keys to the IoT kingdom are safely locked away in their own domain (Figure 3).
Figure 3 An IoT router/gateway securely protected by a separation kernel hypervisor.
Secondly, flexibility, suitability and performance. By having multiple guest operating systems in their own secure domains, we can now choose which OS best suits which domain. Before virtualization, a single OS had to control all the tasks in the router, and that generally meant adding general purpose functionality to an RTOS, or sacrificing real-time performance by using a GPOS. Now a GPOS can be used to connect to the Internet side of the router, and an RTOS (maybe the secure RTOS as described above) can be connected to the proprietary side. The two sides can only communicate with each other by using the secure internal networking channels provided by the separation kernel, which can be carefully moderated, controlled and in some instances made to be unidirectional.
In summary, the infrastructure that enables the Internet of Things is very vulnerable to cyber-attacks, especially as it embraces modern communication technologies, such as wireless networking and the Internet. And the more critical the infrastructure, the larger the threat. Energy companies specifically need to be very vigilant in securing their infrastructure, as a widespread attack here could render cities, states and even the country helpless. However, embedded software technology such as secure OSs and separation kernels, which have been helping to secure military infrastructure, are now available to help protect the IoT as it becomes more ubiquitous.
Lynx Software Technologies
San Jose, CA